-
Notifications
You must be signed in to change notification settings - Fork 0
Episode 020: 04‐06‐2024 Identity Governance for the Whole Enterprise
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Jim Montgomery, Techno Wizard at TriVir
- Co-Host: Frank Wray, Director, Identity & Access Management Practice, Templar Shield
Software to assist with Identity Governance, and reviewing user's access has been around for a decade. Many implementors struggle with integrating quickly and onboarding applications. This discussion talks about a new approach to governance deployment as well as leveraging technology to scale to achieve coverage of all the business applications. Instead of one or two dozen integrations across multiple years, we should be integrating hundreds, if not more.
White paper based on DoD Identity Governance project Talk
-
An enteprise Identity and Access Governance ("IAG") infrastructure, assisted by software, is still a business process. The most important metric for IAG is coverage--the more apps covered by your governance program, the higher the ROI to the business. So getting more apps "onboarded" is important. The IAG process itself should not be a bottleneck for application onboarding. Enterprises need to implement a more "parallel" application onboarding process if they want to achieve more velocity.
-
At the risk of oversimplifying... today the main approach for IAG practioners is to identify three things about an application: (1) Who are the "users" (how to correlate an enterprise identity); (2) What are the "permissions" in the application? (3) How to map app permissions to users. Prima facie, declarative authz policies make permission discovery and mapping easier--no need to dig into the source code!
-
To comply with security standards like ISO or SOC 2, enterprises must implement a process to review and approve access. Provisioning users for access to resources based on their role or job code is a core enterprise IT practice today that solves this compliance requirement. One challenge for a new generation of authz tools that don't use RBAC is that they need a corresponding strategy for how enterprises can govern them.
-
Enterprise IAG is hard! You need to retro-fit IAG to cover old legacy systems--which may mean syncing
.csvfiles. You may find that the identity and security teams don't communicate. Some businesses may have platforms like ServiceNow, SalesForce, or Zoho that might heavily influence the best way to solve IAG. You may have to discovery common patterns of access specific to your organization or a set of applications. And you need to make it easy for the business to help themselves.